Apache-maintenance

Summary of this article will discuss the UNIX platform, ApacheWEB Server installation and configuration of security issues.

We assume that read this article for the system administrator has his own site chose related modules, and the ability to configure, create, and troubleshooting. The main purpose of this article is to help you resume a secure Apache crooked neck (web: P) server. Among the many Web server products, Apache is the most widely used a product, but also a design on a very safe procedure. However, as with other applications, Apache also has security flaws. This article is targeted at three security flaws are discussed, including: use the HTTP protocol for denial of service attack (denialofservice), 3 buffer overflow attacks, and used by an attacker to obtain root privileges. Note: a reasonable configuration to protect Apache from a variety of attacks, but in the network layer of the denial of service attacks do not adjust the Apache configuration has to be able to prevent. This article is about the use of HTTP (application layer) protocol for denial of service attacks. The main defect • Apache HTTP denial of service attack, by some means that the server refuses the HTTP response. This makes Apache on system resources (CPU time and memory) the surge in demand, ultimately resulting in system slow down or even completely paralyzed. • Buffer overflow attack to exploit some of programming to enable program defects from normal process. Program use statically allocated memory save request data, the attacker can send a long request overflow the buffer. For example some Perl compilation process user requests for gateway script. Once a buffer overflow that could allow an attacker to execute its malicious instructions or system downtime. • Used by an attacker to obtain root privileges Apache running as root privileges in General (parent process), the attacker to obtain root privileges through it, which in turn control the entire system. Get the latest version using the most secure Apace for the enhancement of the Security Server ApacheWeb is essential. You can choose from the official website of Apache http://www.apache.org the latest version of Apache. Profile of protection ApacheWeb server has three main configuration file, they are generally located in/usr/local/apache/conf directory. These three files are: httpd.con, srm.conf and access.conf. These files are an entire Apache's control center, so you need to three configuration files. Httpd.conf file is the master configuration file; srm.conf allows you to add a resource file; the access.conf file access permissions. These files can reference http://httpd.apache.org/docs/mod/core.html server access control access.conf file contains directives to control what users are allowed access to the Apache Directory. Should denyfromall as initialization directives and then use allowfrom directive open access. You can allow messages from a certain domain, IP address or IP access section. For example: orderdeny, allow denyfromall allowfromsans.org password protection using .htaccess files, you can make a directory access permissions to a user. System administrators need to httpd.conf or srm.conf file using the AccessFileName directive open directory access control. The following is an example .htaccess file: AuthNamePrivateFiles AuthTypeBasic AuthUserFile/path/to/httpd/users requirefoo then, use the following command to add a user: # htpasswd-c/path/to/httpd/usersoo Apache log files, system administrators can use the log format directives to control the log file information. Using the LogFormat "% a% l" directive, the can makes an HTTP request to the browser's IP address and host name record to the log file. For security reasons, you should at least be those WEB users that failed, joined in the http.conf file "% 401u" LogFormat directive can achieve this objective. This directive also has other many parameters, users can consult Apache's documentation. In addition, the Apache error log file for system administrators is also very important, the error log file includes server start, stop, and the CGI execution failed. Security-related directives in Apache configuration file, there are some security-related directives can be used. For more usage of these directives can reference http://httpd.apache.org/docs/mod/directives.html. Use the following instructions will help you to reduce the threat of denial of service: LimitRequestbody: numeric parameters, control the size of the HTTP request. LimitRequestFields: digital parameters, controlling the number of request headers. KeepAlive: setting connection lifetime. KeepAliveTimeout: limit the time to wait for the request. Use the following instructions will help you clamoring bufferThe danger of overflow: LimitRequestFieldSize: restrict each the size of the request headers. LimitRequestLine: restrict each the size of the request line. CGI (ommonGatewayInterface, common gateway interface) security threats CGI security is very important, attackers can use CGI bug get system information and perform system commands, consume system resources. If one CGI program use statically allocated memory, it may provide for a buffer overflow attack. In order to reduce this risk, programmers should use in the CGI code to dynamically allocate memory. In addition to the CGI writers should be aware, the system administrator can take on CGI to package (for example: CGIWrap or suEXEC) approach to strengthen the security of CGI. This way you can make the CGI program to a separate user permission to run, even if a buffer overflow, it only affects the user's directory/file. Perl is a powerful scripting language. Mainly used for text processing, a programmer can also use system calls a Perl script. If the programming is not good for the attacker to open the door into the server. Therefore, use perl scripts must be careful to avoid this kind of vulnerability. The Perl script that processes the request data, it is a good idea to call a special check routine to check the legality of the importation. In addition, make sure that Apache is not running with root privileges, Perl script is restricted to a specific directory. SSI (Server-SideIncludes) security using SSI, programmers can establish some common routines that you need, when you put these routines included in their code. SSI also allows you to conditionally execute external programs, an attacker may use this condition to allow the server to perform their malicious programs. In the access.conf file use the IncludesNoEXEC directive, you can turn off the functionality of executing SSI file. However this instruction causes the server not to execute CGI scripts or programs. Other security tools use TCPWrappers and Tripwire will serve your system provides additional protection. You can use TCPWrappers to control Telnet or FTP access. Tripwire is a data integrity testing tool, can help system administrators monitor system is changed, you can get it at Tripwire's configuration files in the compilation of specific policies, monitor your Web server's configuration files, data and CGI file has been modified. Summary of Apache is an excellent crooked neck server, although Apache developer attaches great importance to its security, but because the Apache is very large, there will be a security risk. Apache installation and maintenance of the following problems: check file and directory permissions is appropriate. httpd.conf, srm.conf, and access.conf's settings are appropriate to the server log files to record detailed information as possible.? for some need special protection, password protection of directories (.htaccess). CGI scripts or programs to be encapsulated. use Perl CGI if prepared, to check its safety inspection SSI directives? use TCPWrappers and Tripwire. Author: renyubous (an ear)